Branch predictor storing encrypted information
Abstract
Techniques are disclosed relating to protecting branch prediction information. In various embodiments, an integrated circuit includes branch prediction logic having a table that maintains a plurality of entries storing encrypted target address information for branch instructions. The branch prediction logic is configured to receive machine context information for a branch instruction having a target address being predicted by the branch prediction logic, the machine context information including a program counter associated with the branch instruction. The branch prediction logic is configured to use the machine context information to decrypt encrypted target address information stored in one of the plurality of entries identified based on the program counter. In some embodiments, the branch prediction logic decrypts the encrypted target address information by performing a cipher to encrypt the machine context information and performing a Boolean exclusive-OR operation of the encrypted machine context information and the encrypted target address information.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. An integrated circuit, comprising:
a branch prediction circuit including a table configured to maintain a plurality of entries that store encrypted branch prediction information for a plurality of branch instructions; and
wherein the branch prediction circuit is configured to:
receive machine context information for a branch instruction being predicted by the branch prediction circuit, wherein the machine context information includes a program counter associated with the branch instruction; and
use the machine context information to decrypt the encrypted branch prediction information stored in one of the plurality of entries.
2. The integrated circuit of claim 1 , wherein a particular entry in the table corresponding to the branch instruction includes a security tag having one or more fields; and
wherein the branch prediction circuit is configured to compare data within the received machine context information to values of the one or more fields of the particular entry in order to determine whether access to the encrypted branch prediction information is permitted.
3. The integrated circuit of claim 2 , wherein a particular one of the one or more fields of the security tag includes permissible exception levels for execution of the branch instruction.
4. The integrated circuit of claim 2 , wherein a particular one of the one or more fields of the security tag specifies a process identifier for a process associated with the branch instruction.
5. The integrated circuit of claim 2 , wherein a particular one of the one or more fields of the security tag includes an indication of whether the branch instruction executes in a privileged mode.
6. The integrated circuit of claim 2 , wherein a particular one of the one or more fields of the security tag specifies a virtual machine identifier for a virtual machine associated with the branch instruction.
7. The integrated circuit of claim 1 , wherein the branch prediction information is a branch target address.
8. The integrated circuit of claim 1 , wherein the branch prediction circuit is configured to:
decrypt the encrypted branch prediction information by:
performing a cipher to encrypt the machine context information; and
performing a Boolean exclusive-OR operation of the encrypted machine context information and the encrypted branch prediction information.
9. A method, comprising:
maintaining, by a branch prediction circuit in a processor, a table configured to store a plurality of entries with encrypted branch prediction information for a plurality of branch instructions;
receiving, by the branch prediction circuit, machine context information for a branch instruction being predicted by the branch prediction circuit, wherein the machine context information includes a program counter associated with the branch instruction; and
using, by the branch prediction circuit, the machine context information to decrypt the encrypted branch prediction information stored in a particular one of the plurality of entries corresponding to the branch instruction.
10. The method of claim 9 , further comprising:
preventing, by the branch prediction circuit, access to the encrypted branch prediction information in response to determining that at least one of an exception level or a virtual machine identifier for the branch instruction do not match respective values in fields of the particular entry.
11. The method of claim 9 , further comprising:
preventing, by the branch prediction circuit, access to the encrypted branch prediction information in response to determining that a guarded mode identifier for the branch instruction does not match a guarded mode identifier value in a particular field of the particular entry.
12. The method of claim 9 , wherein the branch prediction information is a branch target address.
13. A computing device, comprising:
a processor that includes a branch prediction circuit configured to:
access a table with a plurality of entries that store encrypted branch prediction information for a plurality of branch instructions;
receive machine context information for a branch instruction being predicted by the branch prediction circuit, wherein the machine context information includes a program counter associated with the branch instruction; and
use the machine context information to access the encrypted branch prediction information stored in a particular one of the plurality of entries, and to decrypt the encrypted branch prediction information.
14. The computing device of claim 13 , wherein the particular entry includes a security tag having one or more fields; and
wherein the branch prediction circuit is configured to compare data within the received machine context information to values of the one or more fields of the particular entry in order to determine whether access to the encrypted branch prediction information is permitted.
15. The computing device of claim 14 , wherein a particular one of the one or more fields of the security tag includes permissible exception levels for execution of the branch instruction.
16. The computing device of claim 13 , wherein the branch prediction information is a branch target address.
17. The computing device of claim 13 , wherein the branch prediction circuit is configured to decrypt the encrypted branch prediction information by:
performing a cipher to encrypt the machine context information; and
performing a Boolean exclusive-OR operation of the encrypted machine context information and the encrypted branch prediction information.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.